POPI: Are you prepared?

“Personal information is an integral part of the real estate business. The more an agent knows about a client, the better equipped they are to finding the ideal home that meets the individual needs of that client.”

This could be the year the Protection of Personal Information Act (POPI) becomes operational, following which there will be a 12 month window period before compliance is formally policed. Being legislation with far-reaching implications also for the property industry, here is the latest on what is happening with POPI.

When the POPI Act was signed into South African law in November 2013, the expectation was that it would be proclaimed by the end of 2015. That still hasn’t happened, but according to Maryna Botha, director of property law firm Smith Tabata Buchanan Boyes, there are quite a few indications that POPI will become operational this year.

However, she says there are many reasons for the delay at present, from training needs in the Regulator’s office to the fact that there are so many other things on the agenda of the legislature/President that this is last on the list … “But yes, it can be any moment now, or not!”

The property industry was made aware from the start that the implementation of this legislation meant big changes for the industry. Estate agents were advised to pay attention to aspects such as the processing and handling of personal client information, marketing, sales and operations, information technology, finance, human resources, legal, rentals and social networking.

In their preparations for the new legislation to become operational, RE/MAX have been adjusting their digital Customer Relations Management systems to be in line with the regulations set out by the PoPI Act, says Adrian Goslett, regional director and CEO of RE/MAX of Southern Africa.

“Personal information is an integral part of the real estate business. The more an agent knows about a client, the better equipped they are to finding the ideal home that meets the individual needs of that client. All RE/MAX agents are required to respect the information that is shared with them and only use it in a way that benefits a client,” he says.

Jonathan Acutt, managing director of Acutts Estate Agents, says real estate agencies must take a closer look at their business systems and take serious steps to safeguard the personal information of their clients.

“This includes who has access to import any documentation such as mandates and sale agreements in each office.”

He says principals and managers must also look at ways to ensure that agents who collect and handle this information do it in a manner that protects the clients’ information from leaving their management and control.

“From the point of buyers and sellers I think it prudent for clients to enquire as to what each company’s internal POPI processes and procedures are, to ensure that their personal information is in fact protected,” added Acutt.

An important aim of POPI is to protect people from harm and damage by requiring entities, such as also estate agencies, that receive personal information to protect such information. This places a big responsibility on such entities as is fully explained in a recent statement by law firm Phatshoane Henney Group (read the full statement on the Rebosa website).

This includes ensuring data security through appropriate technical and organisational measures. The law firm says it is important to understand that data security is not restricted to personal information that is stored electronically but physical records containing personal information also need to be secured.

Should an information security breach occur, could be through theft, unauthorised use of personal data by an employee or even equipment failure, then the Information Regulator will have to be notified as well as the affected persons. It is the responsibility of this agency, where the breach occurred, to contain it, aim to recover any compromised data (if possible), assess the risks associated with the breach and investigate the cause of the incident and the effectiveness of their response to it.

Should the responsible parties be found guilty of being non-compliant with the requirements set by POPI, they could face a fine of up to a maximum of R10 million or imprisonment of up to 10 years.

The firm therefore advises enlisting the help of technical experts or a POPI specialist to review your current data security systems and to develop the necessary security plans and procedures for your business.

Complying with the new Act comes with challenges, all is not doom and gloom. Andre Fiore listed some of the advantages to complying with POPI in a previous edition of Property Professional. He listed increased customer trust because of greater transparency on what information is collected and how it is processed and used. The improved security measures also would mean better efficiency and reliability of a company’s databases as well as reduced storage and archiving costs because less data is being held. The risk of a data breach should be reduced. All in all complying should a positive overall effect on the company’s controls and good business practice.

Acutt also added that he reckons the required changes shouldn’t slow down the property market.

“Our clients must just understand that we will do everything to protect their personal information.”